لطفا منتظر باشید ...
Publisher| DomainConcepts |
defines a logical boundary for objects that share common requirements
for
security, replication, and administration.
- Security
A domain is a security
boundary
within which objects (users, groups, computers, printers, and so on)
can be managed. For example, all users in a domain can log on to the
domain using their usernames and passwords. Domains also have their
own security policy, called a domain security policy, that defines
account policies such as password and account lockout settings. See
Group Policy later in this chapter for more
information on domain security policies.- Replication
A new domain is
created
when you install the first domain controller for the domain. Domains
are also units of replication, for all domain controllers in a domain
automatically replicate their Active Directory updates to one
another. See Domain Controller later in this
chapter for more information.- Administration
Domains share
common
administration, and members of the Domain Admins group have broad
rights and permissions for performing administrative tasks on objects
in the domain. These administrators can also delegate aspects of
domain administration to other trusted users using the Delegation of
Control Wizard. Administrators can add further structure to a domain
by creating a hierarchy of OUs within the domain. Administrators can
delegate authority over OUs to trusted users to allow them to perform
specific administrative tasks on the objects within the OUs. See
Delegation and OU in this
chapter for more information.
multidomain hierarchical structures called trees. A tree consists of
a root domain and one or more child domains joined by trusts to the
root or to each other in hierarchical fashion. Elements of a tree
share a common namespace. A forest consists of one or more trees
joined at the roots by trusts. All domains in a tree or forest
implicitly trust each other using two-way transitive trusts, allowing
users to log on to a client computer anywhere in the enterprise and
access shared resources on any server. For more information, see
Forest and Trusts later in
this chapter.Domains aren't the same as sites. Domains are
logical groupings of users, computers, and other Active Directory
objects, while sites are physical divisions between networks
connected by slow WAN links. One domain can span several sites, and
one site can contain several domains. For more information, see
Site later in this chapter.Domains are named
using DNSfor example,
mtit.com or sales.mtit.com .
The forest root domain is the first domain you create when you
install Active Directory. When you promote your first domain
controller, the forest root domain is created and is the root of both
your first tree and the entire forest. Domains in a tree must form a
contiguous namespace in Active Directory. For example, if the root
domain of a tree is mtit.com , then
vancouver.mtit.com and
seattle.mtit.com would be two examples of child
domains of mtit.com , while
support.vancouver.mtit.com and
sales.vancouver.mtit.com would be two more child
domains whose parent domain is
vancouver.mtit.com .In W2K, domains could not be renamedactually, there was a hack
in which you could create a new domain with the desired DNS name and
then use the MoveTree utility from Support Tools
to move all the objects from your old domain to the new one, but this
was tedious and somewhat risky. In WS2003, however, you can rename
domains, reposition domains within a tree, and create new trees using
the Rendom utility. This operation is still
tedious, but it's no longer risky and can be used to
restructure your forest after mergers and other major changes to your
company.
Domain Functional Level
In W2K, domains could run in one of
two domain modes:
- Mixed mode
Allowed downlevel domain
controllers running NT to coexist with
domain controllers running W2K by using NTLM authentication instead
of Kerberos- Native mode
Supported only domain
controllers running W2K by requiring
Kerberos authentication
You could switch W2K domains from mixed mode to native mode but not
the reverse.In WS2003 things are a little more complicated, for domains can now
run in one of four different domain functional levels:
- Windows 2000 mixed (default for new domains)
Supports domain
controllers running WS2003, W2K, and NT.- Windows 2000 native
Supports domain
controllers running WS2003 and W2K.- Windows Server 2003 interim
Supports domain
controllers
running WS2003 and NT. This is a special domain functional level that
exists only when you upgrade an NT-based network directly to WS2003.- Windows Server 2003
Supports only domain
controllers running WS2003.
By default, when you create a new domain, its domain functional level
is Windows 2000 mixed, which gives it the greatest degree of
interoperability with NT/2000 domain controllers. You can raise the
domain functional level for your domain to Windows 2000 native if you
have no more NT domain controllers or to WS2003 if you have no more
W2K domain controllers, but you can't undo this
operation afterward. Each time you raise the domain functional level,
additional features that simplify the administration of your
Windows-based network are supported; these are shown in Table 4-12.
Feature | Windows 2000 mixed | Windows 2000 native | Windows Server 2003 |
|---|---|---|---|
Universal groups | No | Yes | Yes |
Group nesting | Partial nesting (global groups can belong to domain local groups) | Full nesting | Full nesting |
NT domain controllers | Allowed | Prohibited | Prohibited |
W2K domain controllers | Allowed | Allowed | Prohibited |
Rename domain controllers | No | No | Yes |
Rename domains | No | No | Yes |
functional levels, depending on how far your network migration has
gone. Another type of functional level, called forest functional
level, affects all domains in your forest. For more information, see
Forest later in this chapter.
Planning Domains
When you are planning
an
Active Directory implementation, start by assuming that a single
domain will suffice, create OUs within your domain to add additional
structure mirroring the organization of your company, and then
delegate authority over OUs to suitable users. Plan for additional
domains only if necessary to separate administrative functions more
sharply between business subsidiaries, locations, or departments. For
example, the following security features are domainwide in scope:
- Password policy
- Account lockout policy
- Kerberos policy
- EFS recovery policy
- IPSec policy
- Public key encryption policy
- Certificate authorities
What this means is that if two departments in your company absolutely
must have different password policies, then these departments must be
different domains. Before you start creating additional domains, it
might be time to consider harmonizing security policies across your
company.Here are some reasons to create multiple
domains
or trees in your forest:
- Your company is large enough to consider using the complexity of a
multidomain implementation of WS2003 Active Directory. There is no
hard and fast rule for how big a company should be, though; this is
based essentially on your available IT resources and expertise, as
well as on the other factors described later. - Your company requires that IT administration be decentralized across
multiple locations or divisions. Multiple domains are appropriate
here because domains represent strong security boundaries for
administration of users, groups, computers, and other resources.
Domain Admins in one domain can't administer
resources in other domains unless they are explicitly given
permission to do so. - Your company requires distinct Group Policy security settings (such
as password and account lockout settings) for different locations or
divisions. This might even be for legal reasonsfor example, if
some of your subsidiaries are in foreign countries with different
legal security requirements. - Your WAN links are slow, and you want to keep replication traffic
between different locations to a minimum and to control it more
tightly. You could make each location both a separate domain in the
tree and a separate site. This is because the only Active Directory
information replicated between domains in a tree are the schema, the
configuration information, and the global catalog. If you use a
single domain with multiple sites instead, the site links between the
sites require enough bandwidth to support the greater traffic that
occurs during intradomain replication of Active Directory.
If you are migrating an existing NT-based enterprise to WS2003, the
migration strategy you use depends on which of the four NT domain
models your company currently employs:
- Single-domain model
If you are currently
using the single-domain model in your NT
network, you simply upgrade the existing NT domain to create a root
domain of a new WS2003 forest.- Single-master-domain model
This model consists of
an account domain (the master domain)
that is trusted by one or more resource domains (slave domains). You
first upgrade the account domain to create the root domain of your
new forest, then you upgrade the resource domains to become child
domains of the root domain. This results in a single tree with one or
more first-level child domains. An alternative is to upgrade your
account domain to a root domain, create one top-level OU in the root
domain for each existing resource domain, and then join the member
servers and workstations to the OUs within the root domain,
discarding the domain controllers in the resource domains. This
leaves you with a single domain to manage.- Multiple-master-domain Model
This model consists of
two or more account domains (master
domains), which trust each other, and one or more resource domains
(slave domains), each of which trusts every account domain. A
recommended procedure is first to create a new WS2003 domain as the
root domain of your forest. This domain is left empty except for
administrators belonging to the Enterprise Admins group. Next, you
migrate the account domains to become child domains of the empty root
domain. Finally, you migrate the resource domains to each become a
child domain of the most appropriate, former account domain. The
result is a tree with three levels of domains. Alternatively, you can
create OUs in the former account domains and join servers and
workstations in the resource domains to these former account domains,
placing them in the appropriate OUs. The result is a tree with only
two levels instead of three (a process called flattening the
domains), which is easier to manage.- Complete-trust model
This model consists of
two or more NT domains that trust each
other. The recommended procedure here is first to create an empty
root domain in a new forest and then migrate every NT domain to
become a child domain of the root domain. For example, if MTIT
Enterprises has the DNS domain name mtit.com and
consists of two relatively independent offices in Vancouver and
Seattle, you could create the forest root domain
mtit.com in one of the two locations and add a
few high-level Administrator accounts to the Enterprise Admins group
in this root domain. Do not create any OUs or any other Active
Directory objects such as users, groups, computers, or printers in
this domain. In other words, this root domain is empty except for a
few enterprise-level Administrator accounts. Then create the domains
vancouver.mtit.com and
seattle.mtit.com as child domains of the root
domain mtit.com . Let the members of the Domain
Admins group in each of these two child domains create the users,
groups, computers, printers, OUs, and other directory objects for
their own domains.
